Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
60s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01/04/2023, 06:04
Static task
static1
Behavioral task
behavioral1
Sample
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe
Resource
win10v2004-20230220-en
General
-
Target
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe
-
Size
530KB
-
MD5
30843c7d717e1963ac1011dd3a24688c
-
SHA1
8e372226bb0c5bcf09966e0914f9eab64e45fcb8
-
SHA256
55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077
-
SHA512
b5cbe97b166dd8bfe80d188dbe4acbb931242477dde0347c60fe0792fade23d4b14c8b70c99497302480f0617f320685a50584d00e33d252a914de81fde516b0
-
SSDEEP
12288:GMrwy90HtDAxPm1Q9yUStQLJtUbshFnSw:iyItePmG9k8tUbESw
Malware Config
Extracted
redline
rosn
176.113.115.145:4125
-
auth_value
050a19e1db4d0024b0f23b37dcf961f4
Extracted
redline
spora
176.113.115.145:4125
-
auth_value
441b39ab37774b2ca9931c31e1bc6071
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" jr198355.exe Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" jr198355.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" jr198355.exe -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 33 IoCs
resource yara_rule behavioral1/memory/3648-158-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-161-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-163-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-159-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-165-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-167-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-169-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-171-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-173-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-175-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-177-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-179-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-181-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-183-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-185-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-187-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-189-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-191-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-193-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-195-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-197-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-199-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-201-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-203-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-205-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-207-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-209-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-211-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-213-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-215-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-217-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-219-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline behavioral1/memory/3648-221-0x0000000004B30000-0x0000000004B6F000-memory.dmp family_redline -
Executes dropped EXE 4 IoCs
pid Process 548 ziDD7673.exe 2120 jr198355.exe 3648 ku525755.exe 2516 lr516330.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" jr198355.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce ziDD7673.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" ziDD7673.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 384 3648 WerFault.exe 89 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2120 jr198355.exe 2120 jr198355.exe 3648 ku525755.exe 3648 ku525755.exe 2516 lr516330.exe 2516 lr516330.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2120 jr198355.exe Token: SeDebugPrivilege 3648 ku525755.exe Token: SeDebugPrivilege 2516 lr516330.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 3536 wrote to memory of 548 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 3536 wrote to memory of 548 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 3536 wrote to memory of 548 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 84 PID 548 wrote to memory of 2120 548 ziDD7673.exe 85 PID 548 wrote to memory of 2120 548 ziDD7673.exe 85 PID 548 wrote to memory of 3648 548 ziDD7673.exe 89 PID 548 wrote to memory of 3648 548 ziDD7673.exe 89 PID 548 wrote to memory of 3648 548 ziDD7673.exe 89 PID 3536 wrote to memory of 2516 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 93 PID 3536 wrote to memory of 2516 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 93 PID 3536 wrote to memory of 2516 3536 55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe"C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe3⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120
-
-
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exeC:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3648 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 9684⤵
- Program crash
PID:384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3648 -ip 36481⤵PID:2544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
176KB
MD5dd637182ef40911cc67d920ab27f3d1b
SHA1a06be16ab563b42e7e42d04f2a6e8cb196ea9d9e
SHA256137b173aea38c3c9dcfa3742a8b3c5790a12f4fb03892e1c7ca8ef9f2b66f87a
SHA5121e1ae5f45bed72acd75ff16662b522285fbdf557daf84939b4fb711d9f0f2b08313030f5135154ab82d66820257e795246b2f36e58e516504031d4f01b2f8a8c
-
Filesize
176KB
MD5dd637182ef40911cc67d920ab27f3d1b
SHA1a06be16ab563b42e7e42d04f2a6e8cb196ea9d9e
SHA256137b173aea38c3c9dcfa3742a8b3c5790a12f4fb03892e1c7ca8ef9f2b66f87a
SHA5121e1ae5f45bed72acd75ff16662b522285fbdf557daf84939b4fb711d9f0f2b08313030f5135154ab82d66820257e795246b2f36e58e516504031d4f01b2f8a8c
-
Filesize
387KB
MD527f8e6363dce659b324e5641c30709d7
SHA1515547036fd23b95f32aea8e06f43582c811b4e3
SHA25632736e819f75e26afd8ec27d0df553bf9a9f6efa8b8d179e87e8c5b0f820d3e2
SHA51204b550867799a702a72464e5ebbc48f9007ffc7848f0e35dd479d62d5dec1c198292d0c3401b235680dd33744f3aeda1b7074b727541f70de70f1d95c363bdd9
-
Filesize
387KB
MD527f8e6363dce659b324e5641c30709d7
SHA1515547036fd23b95f32aea8e06f43582c811b4e3
SHA25632736e819f75e26afd8ec27d0df553bf9a9f6efa8b8d179e87e8c5b0f820d3e2
SHA51204b550867799a702a72464e5ebbc48f9007ffc7848f0e35dd479d62d5dec1c198292d0c3401b235680dd33744f3aeda1b7074b727541f70de70f1d95c363bdd9
-
Filesize
12KB
MD54f6cfc203061090123f931df9e71ecb3
SHA161375f4b936d63d7df13f64fdb93a31df71d0f97
SHA256a00fbafce8da0da20272c61a9a44f57de2cfca88a56cfbdf7fb6bcc2e59b2501
SHA512821141ea539f88d2f920cca3ad6d7dc94b38397af91807a8acb47ab90872fd6eb20fe62a93395946c50a6d0e5e9fc224ff184ad088782722a6d611add121f2d8
-
Filesize
12KB
MD54f6cfc203061090123f931df9e71ecb3
SHA161375f4b936d63d7df13f64fdb93a31df71d0f97
SHA256a00fbafce8da0da20272c61a9a44f57de2cfca88a56cfbdf7fb6bcc2e59b2501
SHA512821141ea539f88d2f920cca3ad6d7dc94b38397af91807a8acb47ab90872fd6eb20fe62a93395946c50a6d0e5e9fc224ff184ad088782722a6d611add121f2d8
-
Filesize
342KB
MD5d6b2fcb1ce832c7b837174422f922bbd
SHA162fd2dd22bcbe3b84dbf8d3bcec855ab73475aeb
SHA25633aa92f22b35598001bd733affa0a18c7cae0ccbb8ec9530325547ca9e1e9954
SHA5123c8a47c7bce7507c0b0b947054092e72ba0ce5093087d82177d3888964a72b7380450916322c42fe53e2aacc286cb268c8a97f3b7d3e9b6dbafda7ce7e3a8e9d
-
Filesize
342KB
MD5d6b2fcb1ce832c7b837174422f922bbd
SHA162fd2dd22bcbe3b84dbf8d3bcec855ab73475aeb
SHA25633aa92f22b35598001bd733affa0a18c7cae0ccbb8ec9530325547ca9e1e9954
SHA5123c8a47c7bce7507c0b0b947054092e72ba0ce5093087d82177d3888964a72b7380450916322c42fe53e2aacc286cb268c8a97f3b7d3e9b6dbafda7ce7e3a8e9d